A new malware campaign has compromised nearly 2,000 WordPress websites by using Steam Community profile comments to hide malicious instructions. The campaign shows how attackers are finding creative ways to avoid detection while maintaining control over infected websites.
Security researchers at GoDaddy discovered the malware and found it active on around 1,980 WordPress sites. The campaign was first identified in July 2025 and has continued to affect websites since then.
What makes this attack unusual is its use of Steam Community profiles as part of its command-and-control infrastructure. Instead of relying on dedicated servers to send instructions to infected websites, attackers hide data inside comments posted on Steam profiles.
The malware installed on a compromised WordPress website checks specific Steam Community profiles whenever a page loads. At first, the comments on these profiles appear harmless. Some even look like ordinary text or ASCII art.
However, hidden inside those comments are invisible Unicode characters that secretly carry malicious instructions.
Researchers found that the attackers use six different invisible Unicode characters, including zero-width joiners and separators. Since these characters cannot be seen by users, they allow attackers to hide data inside normal-looking text.
The malware ignores all visible text and only reads these invisible characters. It then converts them into binary data and reconstructs a hidden payload.
According to researchers, this payload generates a URL linked to a malicious domain called hello-mywordl[.]info. The infected website then downloads JavaScript code from this domain and injects it into frontend pages.
To avoid suspicion, the downloaded malware uses filenames that resemble legitimate JavaScript libraries. Examples include names such as “asahi-jquery-min-bundle” and “lodash.core.min.js.”
This makes it harder for website administrators to spot the malicious files during routine inspections.
The malware also uses several evasion techniques. Researchers observed obfuscated strings, randomized function names, fake logging code, and the use of standard WordPress APIs. These techniques help the malware blend into normal website activity.
The final stage of the attack installs a backdoor on the infected website. This backdoor listens for specially crafted POST requests. If a specific authentication cookie is included in the request, the malware accepts and executes base64-encoded PHP code sent by the attacker.
This effectively gives attackers remote control over the compromised website. Even if some parts of the malware are removed, the backdoor can be used to reinstall malicious components.
Researchers have not yet identified the exact initial infection method. However, they believe attackers may be gaining access through stolen WordPress administrator credentials, compromised FTP or SFTP accounts, vulnerable plugins, vulnerable themes, or even supply-chain attacks.
Any of these entry points could allow attackers to place the first-stage malware on a website.
Website administrators should monitor for unusual references to Steam Community URLs, unexpected JavaScript injections, and outbound connections from WordPress servers to Steam.
Other warning signs include invisible Unicode characters in suspicious code, strange cache entries, disabled SSL verification in cURL requests, and POST requests containing suspicious authentication cookies or parameters.
Researchers also advise checking for scripts loaded from domains such as hello-mywordl[.]info.
The safest recovery method is restoring the website from a clean backup created before the infection occurred. If a clean backup is unavailable, administrators should perform a thorough manual cleanup. Simply removing visible malware files may not be enough because any remaining backdoor component could allow attackers to reinfect the website.
Techlomedia offers WordPress development, website maintenance, security hardening, malware removal, performance optimization, Software Development, and technical support services for businesses and individuals. If you need professional help with your WordPress website, you can get in touch with us through Techlomedia Internet.
